Ransomware rise as threat actors increase

New figures have highlighted that there was a 68% leap in the number of ransomware attacks in 2023, despite exhaustive efforts by law enforcement to clamp down on the criminals.

Cyber underwriter, Corvus Insurance, has released its Q4 2023 Ransomware Report, featuring data collected from ransomware leak sites. The publication reported that while Q4 attacks were down slightly from Q3 2023, ransomware activity for the year surpassed 2022 totals by 68 percent.

Corvus has monitored ransomware activity during 2023 and said it quickly became aware that attacks were occurring at a record pace. Last year, ransomware attacks increased each of the first three quarters and then declined slightly in Q4.

It is thought significant international law enforcement activity in Q4 successfully disrupted the ransomware ecosystem, including taking down ALPHV/BlackCat, one of the most prolific ransomware gangs, and eliminating Qakbot, a pervasive family of malware used to gain access to victims’ networks.

As a result of law enforcement’s actions, Q4 attacks dropped by 7% from Q3, with 1,278 victims observed on ransomware leak sites. Despite this sequential quarterly drop, Q4 2023 activity was still up year over year. In addition, 2023 established a new record for ransomware attacks with 4,496 total leak site victims, compared to 2,670 in 2022 and 3,048 in 2021.

“While ransomware activity spiked to an all-time high in 2023, the real story here is the incredible impact law enforcement had on these groups as we closed out the year,” said Jason Rebholz, CISO, Corvus Insurance. “Unfortunately, there’s no time to celebrate. Threat actors are resilient and have quickly pivoted to new malware, which means everyone must remain vigilant in their commitment to mitigating these threats.”

The report said Qakbot, also called QBot, was the most commonly observed malware family spread via email in Q3 2023. While international law enforcement took down the Qakbot malware network in Q3, it still accounted for 31 percent of the total ransomware volume for the quarter. Its absence in Q4, along with the threat actors’ search for new capabilities to fill the void, likely contributed to the lower-than-expected number of ransomware victims and the slight decrease in victims in Q4. But this disruption didn’t keep threat actors down for long—Corvus identified a noticeable shift to other malware strains such as “Pikabot” and “DarkGate,” which were used to gain initial access to victim networks.

The number of active ransomware groups increased by 34 percent between Q1 and Q4 2023 the insurer said. This increase can be attributed to the fracturing of well-known ransomware groups that leaked their proprietary encryptors on the dark web, making them available to new actors who started ransomware operations. For example, at least 10 new ransomware groups have used Babuk’s encryptor, which leaked in 2021. In addition, members of larger defunct groups began forming splinter groups, which increased the number of ransomware gangs conducting attacks.

“While many will remember 2023 for its record-setting number of ransomware attacks, what is equally noteworthy is the resiliency of threat actors who, despite growing action from law enforcement, were quick to use new forms of malware to secure initial access,” Rebholz said. “Throughout 2024, we will undoubtedly witness much of the same activity, as criminals continue to attack, shift, re-brand, and strike again. Businesses should remain prepared with enhanced security controls and cyber insurance policies to help minimize risk.”

Corvus has monitored ransomware activity during 2023 and said it quickly became aware that attacks were occurring at a record pace. Last year, ransomware attacks increased each of the first three quarters and then declined slightly in Q4.

SHARE: